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'(Description: "Tifle:'The Moby Dog Story' 

Copyright 1994 Zeb Jones') 
-(Work-ID: 'Vanity-Press-Registry-lkjdfgBTar) 
' (Owner: 7eke-Jones-IDl 2345-zxcvoiuyr') 

'(Rights-Group: 'Regular' 
(Bundle: 

' (Fee: {To:'Aaount-Jones-Pub24afdoui4398')) 
' (Acces: (Security-Level: 2)) ) 
.(Copy: (Fee: (Per-U$e: 5))) 
-(Transfer: ) 
.(Delete: ) 

'(%=) 614 
'{Print: 



■613 



(Print: 



(Fee: (Ticket: 'Jones-Prepoid-Print-9085oii£ 
(Printer: 'TrustedPrinter-6070-qoeiru45587') ) 
(Wotermork: ~ 

(Watermork-Str: 'Title: Moby Dog Copyright 1994 
by Zeke Jones. 
Ail Rights Reserved."] 
(Wctermark-Tokens: user-id institution-location 

render-name render-location 
render-time] )}] 



'616 



(Fee: (Per-Use: 10)) 

(Printed: •TrustedPrinter-6070-qoeiru45587') ) )) 
(Wotermork: 



■613 

(Watermark-Str: 'Title: Moby Dog Copyright 1994 
by Zeke Jones. 

All Rights Reserved.') 
(Wotermark-Tokens: user-id institution-location 

render-name render-location 
render-time) ))) _j 
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(Description: "Titlerlhe Moby Dog Story' 

Copyright 1994 Zelce Jones') 
(Wori(-lD: 'Vanity-Press-Reflistry-lkjdf98734') 
(Owner: *Zeke-Jones-IDl 2345-zxcvoiuyr') 

(Rights-Group: "Regular* 
(Bundle: 

. (Fee: (To:''Account-Jones-Pub24afdoul4398')) 
(Access: (Security*Levei: 2)} 
(Copy: (Fee:(Per-Use:5)) 

(Access: (Destination-Authorization: 'Jones-0istributor-9845k|h'' ))) 
(Transfer: (Access; (Destination-Authorization: *Jone$-Distributor-9845kjh'' )))) 
(Delete: } 

(Play:) 
(Print: 

(Fee: (Ticket: 'Jones-Prepaid-Print-9085oijgr4')) 
(Printer: "TrustedPrinter-6070-qoeiru45587''] ))) 
f (Watermark: 

(Watermark-Str: "Title: Moby Dog Copyright 1994 
by Zeke Jones. 
All Rights Reserved/) 
(Watermark-Tokens: user-id institution-location 

render-name render-location 
render-time) ))) 
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Zeb Zack - Tlie Moby Dog Story 
Copyright 1994 Zeke Jones. ALL RIGHTS RESERVED 

THIS IS A STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THAT 
THOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT A DOG NAMED MOBY. HE WAS A 
BIG DOG THAT THOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT A DOG NAMED 
MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT 
A DOG NAMED MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A WHALE. THIS IS A 
STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A 
WHALE. THIS IS A STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THAT 
THOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT A DOG NAMED MOBY HE WAS A 
BIG DOG THAT THOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT A DOG NAMED 
MOBY HEWASABIGDOGTHATTHOUGHTHEWASAWHALE. THIS IS A STORY ABOUT 
A DOG NAMED MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A WHALE. THIS IS A 
STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A 
WHALE. THIS IS A STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THAT 
THOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT A DOG NAMED MOBY HE WAS A 
BIG DOG THAT THOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT A DOG NAMED 
MOBY HE WAS A BIG DOG THATTHOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT 
A DOG NAMED MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A WHALE. THIS IS A 
STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A 
WHALE. THIS IS A STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THAT 
THOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT A DOG NAMED MOBY HE WAS A 
BIG DOG THATTHOUGHT HEWAS A WHALE. THIS IS A STORY ABOUT A DOG NAMED 
MOBY HE WAS A BIG DOG THATTHOUGHT HE WAS A WHALE. J 
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SYSTEM FOR CONTROLLING THE printed notice that appears on each page. This is analogous 

DISTRIBUTION AND USE OF RENDERED to a copyright notice. Such notices can be provided by the 

DIGITAL WORKS THROUGH publisher in the document source or added later by a printer. 

. WATERMAKING These notices serve as social reminders to people to not 

5 make photocopies. 

lliis Application claims benefit of Provisional Applica- Other approaches hide infonnation in the grey codes (or 

tion Ser. No. 60/039,275 filed Feb. 28, 1997. intensity) on a page. Although in principle such approaches 

HELD OF THE INVENTION can embed data in g/eycode fonts, their main application so 

lar has been for embeddmg data m photographs. One set of 

The present invention relates to the field of distribution approaches is described by Cox et aL in a publication 

and usage rights enforcement for digitally encoded works, entitled "Secure spread spectrum watermarking for 

and in particular to identification of non-authorized copies of Multimedia", NEC Research Institute Technical Report 

digitally encoded works that have been rendered. 95-10, NEC Research Institute, Princeton, N.J. 08540. To 

13 A/-i^r>DnT Txrr^ r\r ™rr ixri/cxTTnrkM decode data encoded in the approached described by Cox et 
BACKGROUND OF THE INVENTION 15 al. requires comparing the encoded picture with the original 

U.S. Pat. No. 5,629,980 entitled "System For Controlling to find the differences. The advantage of these approaches is 

the Distribution And Use Of Digital Works", issued May 13, that they can embed the data in such a way that it is very 

1997, describes a system which provides for the secure and diflBcult to remove, not only by mechanical means but also 

accounted for distribution of digitally encoded works by computational means. 

(hereinafter digital works). However, once a digital work 20 ^ described above, watermarks need not be perceptible 

leaves the digital domain, e.g. it is printed out, played or to the viewer. For example, one technique is to embed data 

othenvise rendered, it is no longer secure and can be the white space of a document. An example of this kind 

subjected to unauthorized copying. This is a problem for all of approach was described by Brassil, et al. In a pubUcation 

rendered digital works. entitled "Electronic marking and identification techniques to 

Two known techniques for protecting digital works by discourage document copying", IEEE Journal on Selected 

imparting information onto the digital work itself are Areas in Communications, Vol. 13, No. 8 pages 1495-1504, 

"watermarking" and "fingerprinting". The term watermark October 1995. The idea is to slightly vary the spacing of 

historically refers to a translucent design impressed on paper letters and lines in a digital work. The advantages of this 

during manufacture which is visible when the paper is held approach are that it is not visible and is hard to remove. A 

to the light. Because watermarks are impressed using com- disadvantage is that it has a very limited capacity for 

binations of water, heat, and pressure, they are not easy to carrying data — only a few bytes per page, 

add or alter outside of the paper factory. Watermarks are Another watermarking scheme for use in digital works 

used in making letterheads and are intended to indicate representing images is available from the Digimarc Corpo- 

source and that a document is authentic and original and not nation. The Digimarc watermark is invisible and is used to 

a reproduction. convey ownership infonnation relating to the image. From 

One technique for creating such a watermark when a the Digimarc Worid Web Page describing their technology 

digital work is printed is described in U.S. Pat. No. 5,530, (URL http://www.digimarc.comAvt_page.html): "A Digi- 

759 entitled "Color Correct Digital Watermarking of marc watermark imitates naturally occurring image varia- 
Images" issued Jun. 25, 1996. In this approach the water- ^ tions and is placed throughout the image such that it cannot 

mark image is combined with the digital image to create the be perceived. To further hide the watermark, the Digimarc 

watermarked image. The watermark image acts as a tem- watermarking process is perceptually adaptive — meaning it 

plate to change the chromacity of corresponding pixels in automatically varies the intensity of the watermark in order 

the digital image thus creating the watermark. In any event, to remain invisible in both flat and detailed areas of an 

these notices server as social reminders to people to not image." Reading of the Digimarc watermark is through a 

make photocopies. Digimarc reader which can extract the watermark from the 

The term watermark is now used to cover a wide range of image, 
technologies for marking rendered works, including text, other related prior art includes Daniele, U.S. Pat. No. 
digital pictures, and digital audio with information that 5,444^79, on "Electronic Copyright Royalty Accounting 
identifies the work or the publisher. Some watermarks are System for Using Glyphs", which discloses a system for 
noticeable to people and some are hidden. In some kinds of utilizing a printable, yet unobtrusive glyph or similar two- 
watermarks, the embedded information is human readable, dimensionally encoded mark to identify copyrighted docu- 
but in other kinds the information can only be read by ments. Upon attempting to reproduce such a document, a 
computers. glyph is detected, decoded and used to accurately collect 

The term fingerprint is sometimes used in contrast with 55 and/or record a copyright royaUy for the reproduction of the 

watermarks to refer to marks that carry information about document or to prevent such reproduction. Furthermore, the 

the end user or rendering event rather than the document or glyph may also include additional information so as to 

publisher. These marks are called "fingerprints" because enable an electronic copyright royalty accounting system, 

they can be used to trace the source of a copy back to a capable of interpreting the encoded information to track 

person or computer that rendered the original. and/or account for copyright royalties which accrue during 

The same technologies and kinds of marks can be used to reproduction of all or portions of the original document, 

carry both watermark and fingerprint information. In Merkle, etl al., U.S. Pat. No. 5,157,726 entitled "Docu- 

practice, it is not only possible but often desirable and ment Copy Authentication" describes a system for document 

convenient to combine both kinds of information — for authentication which utilizes an ID card coupled to a copy- 
watermarks and fingerprints^in a single mark. 65 ing machine capable of reading the ID card. 'Vht copying 

With respect to paper based documents, the simplest machine imparts digitally encoded identification 

approach to providing a mark is a graphical symbol or information, e.g. a digital signature, onto a copied document 
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based on information contained in the ID card. The copied 
document can then be authenticated by scanning the docu- 
ment to extract and decode the digital signature. 

SUMMARY OF THE INVENTION 

5 

A trusted rendering system for use in a system for 
controlling the distribution and use of digital works is 
disclosed. ITie currently preferred embodiment of the 
present invention is implemented as a trusted printer. 
However, the description of the invention herein applies to lo 
any rendering device. A trusted printer facilitates the pro- 
tection of printed documents which have been printed from 
a system which controls the distribution and use of digital 
works. The system for controlling distribution and use of 
digital works provides for attaching persistent usage rights 35 
to a digital work. Digital works are transferred in encrypted 
form between repositories. The repositories are used to 
request and grant access to digital works. Such repositories 
are also coupled to credit servers which provide for payment 
of any fees incurred as a result of accessing or using a digital 20 
work. 

The present invention extends the existing capabilities of 
the system for controlling distribution and use of digital 
works to provide a measure of protection when a document 
is printed. The present invention adds to the system the 25 
abiUty to include watermark information to a document 
when it is rendered (i.e. a Print right associated with the 
document is exercised). In the currently preferred embodi- 
ment of a trusted printer, the watermark is visible. However, 
other "invisible" watermarking technologies may also be 30 
used. The watermark data typically provides information 
relating to the owner of a document, the rights associated 
with that copy of the document and information relating to 
the rendering event (e.g. when and where the document was 
printed). This information will typically aid in deterring or 35 
preventing unauthorize^cppying^of ihe.rendered jwork.-^^ 
^ orth "notir^ iriyenlion^ fuitheLpirovi des fo r^ 

CmiUtipleaypes-of-watermarks torbe'pro^ecrbn the^ame^ 

Qlgital worlc> 

Specification of the watermark information is preferably 40 
added to a document at the time of assigning render or play 
rights to the digital work. With respect to printed digital 
works, at the time of page layout special watermark char- 
acters are positioned on the document. When the document 
is printed, a dynamically generated watermark font is ere- 45 
ated which contains the watermark information that was 
specified in the print right. The font of the watermark 
characters is changed to the dynamically generated water- 
mark font. The dynamically generated watermark font is 
created using an embedded data technology such as the 50 
glyph technology developed by the Xerox Corporation and 
described in U.S. Pat. No. 5,486,686 entitled "Hardcopy 
Lossless Data Storage and Communications For Electronic 
Document Processing Systems", which is assigned to the 
same assignee as the present application. 55 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram illustrating the basic interaction 
between repository types in a system for controlling the 
distribution and use of digital works in the currently pre- 
ferred embodiment of the present invention. 

FIG. 2 is an illustration of a repository coupled to a credit 
server for reporting usage fees as may be used in a system 
for controlling the distribution and use of digital works in the 
currently preferred embodiment of the present invention. 65 

FIG. 3 is an illustration of a printer as a rendering system 
as may be utilized in a system for controlling the distribution 
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and use of digital works in the currently preferred embodi- 
ment of the present invention. 

FIG. 4 is a block diagram illustrating the functional 
elements of a trusted printer repository in the currently 
preferred embodiment of the present invention. 

FIG. 5 is a flowchart of the basic steps for digital work 
creation for printing on a trusted printer as may be per- 
formed in the currently preferred embodiment of the present 
invention. 

FIG. 6 is an illustration of a usage rights specification for 
a digital work that may be printed on a users trusted printer 
in the currently preferred embodiment of the present inven- 
tion. 

FIG. 7 is an illustration of a usage rights specification for 
a digital work that may only be printed on a shared trusted 
printer residing on a network in the currently preferred 
embodiment of the present invention. 

FIG. 8 is an illustration of a printed page having a glyph 
encoded watermark. 

FIG. 9 is an illustration of a set of sample embedded data 
boxes having different storage capacities as may be used as 
watermark characters of a watermark font set in the cur- 
rently preferred embodiment of the present invention. 

FIG. 10 is an illustration of a print right having the 
watermark information specified as may be used set in the 
currently preferred embodiment of the present invention. 

FIG. 11 is a flowchart summarizing the basic steps for a 
creator to cause watermarks to be placed in their documents 
as may be performed in the currently preferred embodiment 
of the present invention. 

FIG. 12 is a flowchart of the steps required for printing a 
document as may be performed in the currently preferred 
embodiment of the present invention. 

FIG. 13 is a flowchart outlining the basic steps for 
extracting the embedded data as may be performed in the 
currently preferred embodiment of the present invention. 

FIG. 14 is an iUustration of an implementation of the 
present invention as a trust box coupled to a computer based 
system. 

FIG. 15 is a flowchart illustrating the steps involved in 
printing a digital work using the trust box implementation of 
FIG. 14. 

FIG. 16 is an illustration of an implementation of the 
present invention is as a printer server. 

FIG. 17 is a flowchart illustrating the steps involved in 
printing a digital work using the printer server implemen- 
tation of FIG. 16. 

DETAILED DESCRIPTION OF THE 
INVENTION 

A trusted rendering device for minimizing the risk of 
unauthorized copying of rendered digital works is described. 
The risk of unauthorized copying of digital documents 
comes from three main sources: interception of digital 
copies when they are transmitted (e.g., by wiretapping or 
packet snooping); unauthorized use and rendering of digital 
copies remotely stored, and unauthorized copying of a 
rendered digital work. The design of trusted rendering 
devices described herein addresses all three risks. 

Trusted rendering combines four elements: a usage rights 
language, encrypted on-Une distribution, automatic billing 
for copies, and digital watermarks for marking copies that 
are rendered. 

Usage Rights language. Content providers indicate the 
terras, conditions, and fees for printing documents in a 
machine-readable property rights language. 
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Encrypted Distribution. Digital works are distributed Generally, a repository will process each request to access 

from trusted systems to trusted rendering devices via a digital work by examining the work's usage rights. For 

computer networks. To reduce the risk of unauthorized example, in a request to make a copy of a digital work, the 

interception of a digital work during transmission, it is digital work is examined to see if such "copying" rights have 

encrypted. Communication with the rendering system 5 been granted, then conditions to exercise the right are 

is by way of a challenge -response protocol that verifies checked (e.g. a right to make 2 copies). If conditions 

the authorization and security of the rendering device. associated with the right are satisfied, the copy can be made. 

Automatic Billing. To ensure a reliable income stream to Before transporting the digital work, any specified changes 

content providers, billing of royalties is on-line and the set of usage rights in the copy are attached to the copy 

automatic. 10 of the digital work. 

Watermarks. Finally, to reduce the risk of copying of Repositories communicate utilizing a set of repository 

rendered works, the rendered work is watermarked to transactions. The repository transactions embody a set of 

record data about the digital work and the rendering protocols for establishing secure session connections 

event. Furthermore, watermarks are designed to make between repositories, and for processing access requests to 

copies distinguishable from originals. As will be the digital works. Note that digital works and various 

described below, watermark information is specified communications are encrypted whenever they are trans- 

within a rendering or play right in the usage rights faired between repositories. 

language. Digital works are rendered on rendering systems. A ren- 

The cunrently preferred embodiment of the present inven- dering system is comprised of at least a rendering repository 

tion is implemented as a trusted printer. The foregoing and a rendering device (e.g. a printer, display or audio 

description will be directed primarily to printers, but the system). Rendering systems are internally secure. Access to 

concepts and techniques described therein apply equally to digital works not contained within the rendering repository 

other types of rendering systems such as audio players, is accomplished via repository transactions with an external 

video players, displays or multi-media players. repository containing the desired digital work. As will be 

2^ described in greater detail below, the currently preferred 

OVERVIEW OF A SYSTEM FOR embodiment of the present invention is implemented as a 

CONTROLLING THE DISTRIBUTION AND rendering system for printing digital works. 

USE OF DIGITAL WORKS pi^ j illustrates the basic interactions between repository 

The currently preferred embodiment of the present inven- 33 ^yP^^ in the present invention. As will become apparent from 

tion operates in a system for controlling the distribution and FIG. 1, the various repository types will serve different 

use of digital works is as described in issued U.S. Pat. No. functions. It is fundamental that repositones will share a 

5,629,980, entitled "System for Controlling the Distribution core set of functionality which will enable secure and trusted 

and Use of Digital Works" and which is herein incorporated communications. Refernng to FIG. 1, a repository 101 

by reference. A digital work is any written, audio, graphical 35 represents the general instance of a repository. The reposi- 

or video based work including computer programs that have tory 101 has two modes of operations; a server mode and a 

been translated to or created in a digital form, and which can requester mode. When in the server mode, the repository 

be recreated using suitable rendering means such as software will be receiving and processing access requests to digital 

programs. The system aUows the owner of a digital work to works. When in the requester mode, the repository will be 

attach usage rights to the work. The usage rights for the work initialing requests to access digital works. Repository 101 

define how it may be used and distributed. Digital works and communicate with a plurality of other repositories, 

their usage rights are stored in a secure repository. Digital namely authorization repository 102, rendering repository 

works may only be accessed by other secure repositories. A 1^ "taster repository 104. Communication between 

repository is deemed secure if it possesses a valid identifi- repositories occurs utilizing a repository transaction proto- 

cation (digital) certificate issued by a Master repository and 45 

can prove its identity in a challenge response protocol. Communication with an authorization repository 102 may 

The usage rights language for controlling a digital work is occur when a digital work being accessed has a condition 

defined by a flexible and extensible usage rights grammar. requinng an authorization. Conceptually, an authorization is 

ITie usage rights language of the currently preferred embodi- a digital certificate such that possession of the certificate is 

menl is provided in Appendix A. Conceptually, a right in the 50 '^^^^'^^ ^ain access to the digital work. An authorization 

usage rights grammar is a label attached to a predetermined ^ itself a digital work that can be moved between reposi- 

behavior and defines conditions to exercising the right. For Tories and subjected to fees and usage rights conditions. An 

example, a COPY right denotes that a copy of the digital authorization may be required by both repositories involved 

work may be made. A condition to exercising the right is the a" access to a digital work. 

requester must pass certain security criteria. Conditions may 55 Communication with a rendering repository 103 occurs in 

also be attached to limit the right itself. For example, a connection with the rendering of a digital work. As will be 

LOAN right may be defined so as to limit the duration of described in greater detail below, a rendering repository is 

which a work may be LOANed. Conditions may also coupled with a rendering device (e.g. a printer device) to 

include requirements that fees be paid. comprise a rendering system. 

A repository is comprised of a storage means for storing 60 Communication with a master repository 105 occurs in 

a digital work and its attached usage rights, an external connection with obtaining an identification certificate. Iden- 

interface for receiving and transmitting data, a processor and tification certificates are the means by which a repository is 

a clock. A repository generally has two primary operating identified as "trustworthy". The use of identification cerlifi- 

modes, a server mode and a requester mode. When operating catcs is described below with respect to the registration 

in a server mode, the repository is responding to requests to 65 transaction. 

access digital works. When operating in requester mode, the FIG. 2 illustrates the repository 101 coupled to a credit 

repository is requesting access to a digital work. server 201. TTie credit server 201 is a device which accu- 
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mulates billing information for the repository 101. The BASIC STEPS FOR DIGITAL WORK 

credit server 201 communicates with repository 101 via CREATION FOR PRINTING ON A TRUSTED 

billing transaction 202 to record billing transactions. Billing PRINTER 
transactions are reported to a billing clearinghouse 203 by 

the credit server 201 on a periodic basis. The credit server 5 F^^. 5 is a flowchart illustrating the basic steps for 

201 communicates to the billing clearinghouse 203 via creatmg a digital work that may be pnnted on a trusted 

clearinghouse transaction 204. The clearinghouse transac- printer so that the resulting printed document is also secure, 

tions 204 enable a secure and encrypted transmission of Note that a number of well known implementation steps, e.g. 

information to the billing clearinghouse 203. encryption of digital works, have been omitted in order to 

RENDERING SYSTEMS 10 ^1^*'' ^ digital work is 

wnttea, assigned usage rights including a pnnt nght which 

A rendering system is generaUy defined as a system specifies watermark information and is deposited in reposi- 

comprising a repository and a rendering device which can t^^y ^jep 501. As wiU be described in more detail below, 

render a digital work mto its desired form. Examples of a ,^6 assignment of usage rights is accomplished through the 

rendering system may be a computer system a distal audio ^ ^^^^ ^ j, j.^j ^^^^ j^j^ 

system, or a prmter. In the currently preferred embodiment, 15 . J^. • j- * ■ u • i j • * 

V J • * ■ * * I 4 J • repository 1 is an indication that it is being placed mto a 

the rendenne system is a pnnter. In any event, a rendenne . i, ^ . vt ^ ^ . * ^ - 

system has The security features of a repository. The cou ^ontroUed system. Next, repository 1 receives a request from 

pling of a rendering repository with the rendering device repository 2 for access to the digital work, step 502 and 

may occur in a manner suitable for the type of rendering repository 1 transfers a copy of the digital work to repository 

^QyioQ 20 ' ^^^P ^ example, it is assumed that 

FIg\ 3 illustrates a printer as an example of a rendering '° a "trusted" session between repository 1 and repository 2 has 

system. Referring to FIG. 3, a printer system 301 has ^een established. The chaUenge response protocol used in 

contained therein a printer repository 302 and a print device interaction is described in the aforementioned U.S. Pat. 

303. It should be noted that the dashed line defining printer No. 5,629,980 and thus no further discussion on the chal- 

system 301 defines a secure system boundary. Communica- Icnge response pnstocol is deemed necessary, 

tions within the boundary is assumed to be secure and in the Repository 2 then receives a user request to print the 

clear (i.e. not encrypted). Depending on the security level, digital work, step 504. Repository 2 then establishes a 

the boundary also represents a barrier intended to provide trusted session with a printer repository of is the printing 

physical integrity. The printer repository 302 is an instan- system on which the digital work will be printed, step 505, 

tiatioD of the rendering repository 105 of FIG. 1. The printer The printer repository receives the encrypted digital work 

repository 302 will in some instances contain an ephemeral and determines if it has a print right, step 506. If the digital 

copy of a digital work which remains until it is printed out work has the print right, the printer repository decrypts the 

by the print engine 303. In other instances, the printer digital work and generates the watermark that will be printed 

repository 302 may contain digital works such as fonts, on the digital work, step 507. The printer repository then 

which will remain and be billed based on use. This design transmits the decrypted digital work with the watermark to 

assures that all communication lines between printers and a printer device for printing, step 508. For example, the 

printing devices are encrypted, unless they are within a decrypteddigitalworkmay be a Postscripts file of the digital 

physically secure boundary. This design feature eliminates a work, 
potential "fault" point through which the digital work could 

be improperly obtained. The printer device 303 represents CONl^ROLUNG PRINTING Wi m THE USAGE 

the printer components used to create the printed output. RIGHTS GRAMMAR 

Also illustrated in FIG. 3 is the repository 304. The A key concept in governing sale, distribution, and use of 

repository 304 is coupled to a printer repository 302. The digital works is that publishers can assign "rights" to works 

repository 304 represents an external repository which con- that specify the terms and conditions of use. These rights are 

tains digital works. 45 expressed in a rights language as described in the aforemen- 

FIG. 4 is a block diagram illustrating the functional tioned U.S. Pat. No. 5,629,980. The currently preferred 

elements of a trusted printer repository. Note that these grammar is provided herein in Appendix A. It is advanta- 

functional elements also would be present in any rendering geous to specify watermark information within a rendering 

repository. Referring to FIG. 4, the functional embodiment or play right within the grammar for a number of reasons, 

is comprised of an operating system 410, core repository 50 First, specification in this manner is technology independent, 

services 411, and print repository functions 412. The oper- So difierent watermarking technologies may be used or 

ating system 410 is specific to the repository and would changed without altering the digital document. Second, 

typically depend on the type of processor being used to multiple watermarking technologies may be applied to the 

implement the repository. The operating system 401 would same digital work, e.g. a visible watermarking technology 

also provide the basic services for controlling and interfac- 55 and an invisible watermarking technology. So if the visible 

ing between the basic components of the repository. watermark is removed, the invisible one may remain. Third, 

The core repository services 411 comprise a set of func- the watermark information to be placed on the digital work 

tions required by each and every repository. For a trusted can be associated with the rendering event, rather than the 

printer repository the core repository services will include distribution event. Fourth, the watermark information can be 

engaging in a challenge response protocol to receive digital eo extended to include the entire distribution chain of the 

works and decryption of received digital data. digital work. Fifth, security and watermarking capabilities of 

The print repository functions 412 comprise functionality a rendering system may be specified as a condition of 

for rendering a work for printing as well as gathering data rendering, lliis will further insure the trusted rendering of 

for and creating a digital watermark. The functionality the digital work. 

unique to a print repository will become apparent in the 65 As a result of these advantages, this type of specifying 

description below (particularly with respect to the flowchart watermark information fully supports the Superdistribution 

of FIG. 12). of digital works. Superdistribution is distribution concept 
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where every possessor of a digital work may also be a Social Reminder. This requirement is for a visible printed 

distributor of the digital work, and wherein every subse- indication about whether photocopying is permitted. This 

quent distribution is accounted for. could be a printed statement on the document or an estab- 

When a publisher assigns rights to a digital work, the lishcd icon or symbol within a corporation indicating a 

usage rights enables them to distinguish between viewing 5 security level for the document. 

(or playing) rights and print rights. Play rights are used to Auditing. This requirement is for a way to record infor- 

make ephemeral, temporary copies of a work such as an ^^^^^ ^„ document about the printing event, such as 

image of text on a display or the sound of music frorn a photocopying is 

loudspeaker. Pnnt nehts are used to make durable copies, . ^ . ■ .t. I . 

u r™ i 1' J- permitted, and what person or pnnter printed the document 

such as pages from a laser printer or audio recordings ona.-.^., ' , ^ " , ^ 
magnetic media. ^10 and when the document was prmted. 

Copy Detection. This requirement is a way for differen- 

^"*'"PVp^.n^jrr°rn,T,!??p^°'^^ ,i,,i„g between printed originals and photocopies. In 

t't,KiU[N AL cuMi'U 1 t,K general, this requirement involves using some print patterns 

FIG. 6 is an example of the usage rights for a digital work on the page which tend to be distorted by photocopiers and 

which enables trusted printing from a personal computer. 15 scanners. For some patterns, the difference between copies 

Referring to FIG. 6, various tags are used in for the digital and printed original is detectable by people; for other 

work. The tags "Description" 601, "Work-ID" 602 and patterns, the difference is automatically detectable by a 

"Owner" 603 provide identification information for the computer with a scanner, 

digital work, , , 

J. . . , J • J- -J 11 J . c In the currently preferred embodiment, watermarks are 

Usage nghts are specified individually and as part of a 20 , . 1 j j * * u i u i u 
group of rights. Tlie Rights-Group 604 has been given a "^'^f'^, embedded data technology such as g yph 
name of "Regular". The bundle label provides for a fee ^^^^no ogy developed by the Xerox corporation. Glyph 
payee designation 605 and a minimum security level 606 technology as it is used as embedded data pnnted on a 
that are applied to aU rights in the group. The fee payee "^^^^^^^ >^ described in U.S. Pat. No. 5,486,686 entitled 
designation 605 is used to indicate who will get paid upon 25 "hardcopy Lossless Data Storage and Communications For 
the invocation of a right. The minimum security level 606 is Electronic Document Processing Systems", which is incor- 
used to indicate a minimum security level for a repository porated by reference herein. Using glyphs as digital water- 
that wishes to access the associated digital work. marks on printed documents is described in co/pending 

The rights in the group are then specified individually. application Ser. No. 08/734, 570 entitled "Quasi- 

The usage rights specify no fee for transferring 608, deleting Reprographics With Variable Embedded Data With Appli- 

609 or playing 610, but does have a five dollar fee for cations To Copyright Management, Distribution Control, 

making a digital copy 607. It also has two Print rights 611 etc.", which is assigned to the same assignee as the present 

and 612, both requiring a trusted printer (specified by 613) application and is incorporated by reference herein. 

The first Print right 611 can be exercised if the user has a Generally, embedded data technology is used to place 

particular prepaid ticket (specified by 614). The second print ^^achine readable data on a printed medium. The machine 

right has a flat fee of ten dollars (specified by 615). The readable data typically is in a coded form that is difficult if 

example assumes that the digital work can be transmitted to impossible for a human to read. Another example of an 

a user s computer by exercising the Copy right, and that the embedded data technology is bar codes, 

user can play or pnnt the work at his or her convemence ^ . , , , , , , , , , . , 

using the Play and Print rights. Fees are logged from the Embedded data technology can be used to carry hundreds 

users workstation whenever a right is exercised. 40 of bits of embedded data per square inch in various grey 

Also illustrated in FIG. 6 are watermark specifications P*"f °° " P^P"' P«f"ably, glyphs are used because the 

616 and 617. ITie particular detail for the watermark sped- representing the encoded data can be used to create 

fications 616 and 617 is described below with reference to J^hx^ 1°'^, aesthetically appealing then other 

FIG. 10. Example - Trusted Printing to an Internet Printer embedded data technologies. With careful design, glyphs 

FIG. 7 illustrates a different set of rights for the same digital 45 can be integrated as graphical elements in a page layout 

book. In this version, the publisher does not want digital ^^'yP'^ '^f" used with any kind of document. Glyph 

delivery to be made to a consumer workstation. A practical watermarks to carry document identification can be embed- 

consideration supporting this choice may be that the pub- '^^ *^ publisher; while glyphs carrying data about a 

Usher wants to minimize the risk of unauthorized digital Pnnt event can be added to the watermark at the time of 

copying and is requires a higher level of security than is 50 Pnnting by a prmting system. Both document identification 

provided by trusted systems on available workstations. and fingerpnntmg data can be embedded m the same water- 

Instead, the publisher wants the book to be sent directly from mark. 

an on-line bookstore to a trusted printer. Printing must be should be noted that a disadvantage of glyphs and with 

prepaid via digital tickets (see fee specification 701). To ^o^ms of visible and separable watermarks, is that with 

enable digital distribution to authorized distributors but not 55 mechanical or computational effort, they can be removed 

directly to consumers, the publisher requires that both par- ^^^^ ^ document. 

ties in a Copy and Transfer right to have an authorizing FIG. 8 illustrates an example of a document image having 

digital license (see certificate specifications 702 and 703). a glyph encoded watermark. Referring to FIG. 8, a document 

Lacking such a license, a consumer can not access the work page 801 has various text 802. Also included is a glyph 

at a workstation. Instead, he or she must print the work. 60 encoded watermark 803. Note that the document is not 

Also illustrated in FIG. 7 is the watermark specifications limited to text and may also include image or graphical data. 

704. 'ITie watermark specification 704 is described in greater INTEGRAHNG EMBEDDED DAI A AS 

detail below with respect to HG. 10. WATERMARKS INTO TRUSTED PRINTING 

WATERMARKS AND FINGERPRINTS ^5 SYSTEMS 

lliree main requirements for watermarks on trusted print- lliis section describes briefly how embedded data lech- 
ers have been identified: nology can be used in trusted printing systems to embed 
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watermarking data. How glyphs and watermark data are 
handled at each stage in creating, publishing, and printing a 
document is discussed. 

It has been determined that for integrating embedded data 
such as glyphs into trusted printing systems, the require- 
ments include: 

Document designers such as authors and publishers must 
be able to specify on a page by page basis the position 
and shape of watermarks, so that they can be incorpo- 
rated into the design of the document. 
The approach should be compatible with mainline docu- 
ment creation (e.g. word processing) systems. 
The approach should work within the protocols of exist- 
ing printers. 

The approach should carry the fingerprint (or run-time) 
data in Usage Rights specifications. 

The approach should not significantly slow down print- 
ing. 

Herein the term media-dependent data is used to refer to 
information about how a watermark is located and shaped 
within the document content. The approach depends on the 
use of Usage Rights to express the data to be encoded in the 
watermark. 

Document Creation 

Publishers use a wide variety of tools to create documents. 
Different text editors or word processors provide different 
ways and degrees of control in laying out text, pictures and 
figures. One thing that all text editors have is a way to locate 
text on a page. In effect, this is a lowest common denomi- 
nator in abilities for all systems. 

Exploiting this common capability provides insight about 
how to use glyphs to represent watermarks: 

Glyph watermarks are organized graphically as rectangu- 
lar boxes. 

Different sized boxes have different capacities for carry- 
ing data. On 300 dpi printers, about 300 bytes per inch can 
be encoded in glyphs. Note that this can represent even more 
data if the original data is compressed prior to glyph 
encoding. Note for greater reliability, some data may be 
repeated redundantly, trading data capacity for reliability. 
Each glyph watermark is represented to a document 
creation program as a character in an initial glyph 
watermark font. Boxes of different sizes and shapes are 
represented as different characters for the initial glyph 
watermark font. When a digital work is printed, the 
encoding of the data is analogous to calculating and 
changing the watermark font. 
In practice, a designer laying out a document would open 
a page of a glyph catalog containing glyph boxes of different 
sizes. The glyph boxes in the catalog would probably 
contain just test data, e.g. a glyph ASCII encoding of the 
words "test pattern glyph Copyright © Xerox Corporation 
1997. All Rights Reserved". The designer would determine 
ahead of time how much data he wants to encode per page, 
such as 100, 300, 500, or 1000 bytes. The designer would 
copy a "box** (actually a character) of the corresponding size 
into their document and locate it where they want it on the 
page, typically incorporating it as a design element. 

FIG. 9 illustrates a set of sample watermark characters 
(i.e. glyph boxes) having different storage capacities. An 
actual catalog would contain additional shapes and would be 
annotated according to the data-carrying capacity of the 
glyphs. 

Note that the glyph encoded watermarks can also be 
placed in figures, since drawing programs also have the 
capability to locate characters on a page. 
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When the creator saves their work, the document creation 
program writes a file in which characters in the glyph font 
are used to represent the watermarks. If the creator prints the 
document at this stage, he will see more or less what the final 
5 sold versions will look like except that the test data encoded 
in the gray tones of the glyph box will later be replaced by 
the dynamically generated watermark data. 

SPECIFYING WATERMARK DATA 

^0 When the author or publisher gets ready to publish the 
work and import it into a system for controlling distribution 
use of digital works, one of the steps is to assign rights to the 
work using a Rights Editor. The Rights Editor is a program 
with which a document owner specifies tenms and conditions 
of using a digital work. 

This is the point at which document identification data 
and also print event data are specified. FIG. 10 illustrates the 
watermark information specified for a print right. Note that 
the watermark information specification is optional within 
the grammar. Referring to FIG. 10, print right 1001 specifies 
that a purchaser of the document must pay ten dollars to 
print the document (at fee specification 1002). The docu- 
ment must only be printed on a trusted printer of a given type 
(at printer specification 1003). Furthermore, the watermark 
must embed a particular string "Title: Moby Dog Copyright 
1994 by Zeke Jones. All Rights Reserved" and also include 
various data about the printing event (at Watermark-Tokens 
specification 1004). Note that the watermark tokens speci- 
fication are used to specify the "fingerprint" information 
associated with the printing of the digital work. Here the 
specified printing event data is who printed it out, the name 
of the institution printing it out, the name of the printer, the 
location of the printer and the time that the digital work was 
printed. As will be described below, this information is 
obtained at print time. 

FIG. 11 is a flowchart summarizing the basic steps for a 
creator to cause watermarks to be placed in their documents. 
As part of the layout of the textual document the designer 
determines how much data is required by the watermark, 
step 1101. Based on the amount of needed data, a suitable 
watermark character (e.g. glyph box) is selected, step 1102. 
The watermark character is then positioned onto a page (or 
the pages) of the digital work, step 1103. Finally, as part of 

45 the rights assignment for the digital work document, a print 
right with a watermark specification is made, step 1104. At 
this point, the document can be viewed with the watermark 
positioned in the desired place(s) on the document. 
However, the actual fingerprint and other identffying data in 

5Q an embedded data format has not yet been created. 'Iliis is 
created dynamically at print time as described below. 

PRIN IING THE DIGITAL WORK 

The next steps for the digital work are that it is published 
55 and distributed. During this process, the digital work is 
protected by the encryption and other security systems that 
are employed and the rights travel with the document. Part 
of this process assures that any printer or workstation that 
has a copy of the document also has digital certificates which 
60 contain information identifying the trusted system, trusted 
printer, user, and so on (a process described in more detail 
in issued U.S. Pat. No. 5,629,980). 

FIG. 12 is a flowchart of the steps required for printing a 
document. Referring to FIG. 12, at some point, a user 
65 decides to print a document, step 1201. Typically this is done 
via a print command invoked through some interface on the 
users system. This opens a challenge -response protocol 
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between the "user*' repository containing the document and TRUSTED PRINTER EMBODIMENTS 

the printer repository, step 1202. During this exchange, the , . r . , i. r . . 

security and watermark capabilities of the printer are foUowmg, two embodiments of trusted prmter 

checked. If the printer does not have the proper security or implementations are described: desktop implementations tor 

watermark capabilities, the digital work cannot be printed on 5 Personal printers and print server implementations for larger 

that printer. The printer security level and watermark capa- workgroup and departmental pnnters. 

bilities are specified in the identification certificate for the DESKTOP IMPLEMENTAHONS 
printer. Assuming that the printer has the proper security 

levels and watermark capabilities, the "user" repository then There is a large and growing install base of personal 

checks that the digital work has the required print right, step 10 printers. Typically, such printers are connected to personal 

1203. Assuming that the digital work has required print right computers by serial output ports. In other cases, they are 

the user repository may interface with a credit server to installed on small local area networks serving a few offices, 

report any required fees for the printing the digital work, to serve this market a "trust box" is provided which 

step 1204. Note that the actual biUing for the digital work would be positioned in between the personal computer and 

may occur when the right is invoked either when the print 15 the personal printer. The "trust box" would act as a print 

exercised or when it can be verified that the document has repository for the trusted printer system. This is a market 

been printed. The latter case protects the user in the situation where the purchase of such hardware would be justified by 

wherein printing may become inadvertently terminated the convenience of digital delivery to the office, for those 

before the entire digital work is printed. documents that publishers are unwilling to send in the clear 

A computation is then performed to gather together the 20 (i.e. not encrypted). The cost of the trust box ofl&ets either 

information to be embedded in the watermark and to incor- waiting for mail delivery or driving to another location to 

porate it into a new font for the watermark character. First pick up trusted printer output. 

the information must be gathered from digital identification 14 illustration of a trust box in a computer 

certificates belonging to the user or the trusted printer, such ^^^^ ^y^^^^ Referring to FIG. 14, a personal computer 

as names, locations, and the current date and time, step 1205. 25 1401 is coupled to a network 1402. The personal computer 

This information is "printed" internally into computer 1401 itself is part of a trusted system in that it embodies a 

memory, creating a bitmap image ofglyph boxes of different repository. The personal computer would receive digital 

sizes, step 1206, Creation and coding of glyphs is described ^^^^ through the network 1402 (e.g. over the Internet). The 

m the aforementioned U.S. Pat. No. 5,486,686, thus no personal computer 1401 is further coupled to trust box 1403. 

further discussion on the encoding of glyph patterns is 30 xhe communications between the repository contained in 

deemed necessary. In any event, this information is then the personal computer 1301 and the trust box 1403 are 

assembled into a font definition, step 1207. encrypted for security purposes. Finally, the trust box 1403 

The digital work is then decrypted and downloaded into is coupled to a printer 1404. The printer 1404 receives 

the printer, step 1208. When the digital work is downloaded decrypted print streams for printing, 

into the printer, part of the protocol is also to download the 35 p^^^ ^ conceptual perspective, the personal computer 

new "revised" glyph font, which now has characters corre- combined with the trust box and printer form a trusted 

sponding to glyph boxes. This fom looks more or less like ^y^^^^ ^ox implementation would work with 

the one that the publisher used in creating the document ^j^er system elements as illustrated in the steps of the 

except that the gray codes inside the font boxes now embed flowchart of FIG 15 

the data that the publisher wants to appear in the watermarks 40 „ r • , tttV^ ic *u * * j- * u 
on the document Referring to FIG. 15, the consumer contacts the distnbu- 
„„ tor of digital works using, for example, an Internet browser 

ITie printer then prints the digital work, step 1209. When ^^^^ ^ Navigator or Microsoft Explorer, step 

the document IS printed, the glyphs that appear on the pages ^^^^ ^^^^ of brevity, it is assumed that a trusted 

contain the desired watermark data. ^^^-^^ established between the consumers repository and 

READING THE EMBEDDED DATA the distributor's repository; Using known user interface 

CONTAINED IN THE WATERMARK methods, the consumer selects a work from a catalog or 

HG. 13 is a flowchart outlining the basic steps for search service, step 1502. In this example, it is assumed that 

extracting the embedded data. First, the printed document is ^^^^ "S^ts holder has associated a Prmt nght with the 

scanned and a digital representation obtained, step 1301. 50 document, and that all terms and conditions for exercising 

The location of the watermark and the corresponding "g^* tn^* consumer and the tmst box. 

embedded data is then found, step 1302. The watermark may Once a work is selected the two repositories begin a 

be found using techniques for finding characteristic pixel purchase transaction, step 1503. As described in U.S. Pat. 

patterns in the digital representation of the printed docu- No. 5,629,980, there are several variations for billing. For 

ment. Alternatively, a template for the document may have 55 concreteness, it is assumed that there is a billing account 

been created that could be used to quickly find the water- associated with the trust box. 

mark location. In any event, the embedded data is extracted Using a helper application (or equivalent), the consumer's 

from the watermark and decoded, step 1303. The decoded repository sends a digital certificate to the distributor which 

data is then converted to a s human readable form, step 1304. contains the trust box's public key, step 1504. The certificate 

This may be on a display or printed out. The data extracted 60 itself is signed by a weU-known repository, such as the 

is then used to identify who and where the unauthorized printer's manufacturer. 

reproduction of the digital work came from. The distributor repository encrypts the document using 

Note that the means for extraction of the watermark data DES or some other encryption code, step 1505. The encryp- 

is dependent on the technology used to embed the water- tion uses a key length that is compatible with requirements 

mark data. So while the actual extraction steps may vary, 65 of security and legal constraints. 'Hie distributor repository 

they do not cause departure from the spirit and scope of the encrypts the document key in an envelope signed by the 

present invention. public key of the printer box, step 1506. The distributor 
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repository then sends the encrypted document and the enve- client purchases the work and orders the right to print it 

lope along to the consumers workstation. once. The on-line distributor delivers the work, encrypted, 

The personal computer stores the encrypted document in one page at a time. The consumer workstation has a program 

its repository along with the envelope containing the key, that decrypts the page and sends it to the printer with 

step 1507. 5 watermarks, and then requests the next page. At no time is 

At some point, the user decides to print the document. a full decrypted copy available on the consumer's computer. 

Using a print program, he issues a print request, step 1508. The weak link in this approach is that the consumers 

His personal computer contacts the trust box, retrieving its computer does gain access to copies of pages of the work in 

identity certificate encrypted in its public key, step 1509. It the clear. Although this would be beyond the average 

looks up the watermark information in certificates from the lo consumer, it would be possible to construct software either 

user, the computer itself, and the printer, step 1510. It to mimic runtime decryption software or modify it to save a 

downloads the watermark font to the printer through the copy of the work, one page at a time, 

trust box, step 1511. PRINTER SERVER IMPLEMENTATIONS 

The print program begins sending the document, one page *#.rv ir^.j - • .i. r 

, * * »u » ief-i Much of the appeal of trusted prmters IS to enable the safe 

at a time lo the trust box, step 1512. j • i ■ r i j . o u • 

^ , . . , , . . and commercial printing of long documents. Such prmting 

TTie trust box contacts the printer. It decrypts the docu- 3 ligations tend to require the speed and special features of 

ment giving the document key to a decryption means (e^. an ^^^^^ ^^^^^^^ (^^^ ^^^^^1 ^^j^^^ p^^^j^^ 

internal decryption chip), step 1513 It transmits the docu- ^^^^j^ „,.hi,ecnire for server-based trusted printers, 

ment to the pnnter in the clear, step 1514. Note that this is • , , i r . j-n- r .i_ 

, r J- V 1 fj u 1 1 J f • * -in Besides the speed and feature differences of the print 

one place where a digital copy could be leaked, if a prmter 20 • i *u i ^ 

1 J - * .if • *u * .1-1 ■ * engines themselves, there are some key differences 

emulator was plugged into the prmt box to act like a pnnter. , z jji* 

n ui *i. •* 1 1 * *u • 1 between server-based trusted pnnters and desktop 

Presumablythesecunty levelof thetmstboxissetto a value trusted rinters 

that reflects the level of risk. The document is then printed, „ ... . . r . 

step 1515. Finally, the trust box reports billing to a Financial Server-based prmters store complete copies of documents 

Clearinghouse, step 1516. 25 in nles. 

The trusted print box design is intended to meet several Server-based printers have operating systems and file 

main design objectives as foUov^s: ^y^^^"^ ""V accessible via a network. 

Installed Base. This approach is intended to work within Server-based printers have consoles, accessible to dedi- 

the current installed base of desktop or personal printers. "^"^ °' ^""^'"P °P^"'°'^ depending on the installa- 

Installing a trusted print box requires loading software and "^^ ^ . . r . . 

plugging standard serial cables between the printer, the TTiese basic properUes of server-based pnnters create their 

tnisted print box, and the computer. '"^^ document secunty which need to be addressed. 

„ r™. i_ • .i_ • J t_ . In addition, since server-based printers tend to be high 

Security. I ne approach inhibits unauthonzed photocopy- , , .... . , 

*i. I. r * 1 -n. 1. • volume and expensive. It IS important that the trusted system 

ing through the use of watermarks. The approach inhibits ^ ^ * • \i i j - . 

. ^ . . . . J- 1 1 • * J 35 features not significantly slow down competitive printer 

digital copying by stormg digital works in an encrypted r r r 

form, where the consumer workstation does not have access „ * , . .t * . /• t 

, 1 f J *i. 1 From a conceptual perspective, the print server (mcluding 

to the key for decryptmg the work. ^ , . ^ j i • \ u • _i -.u .V ■ . 

\ . . . , , , network services and spooling) combined with the printer 

Pnnter Limitations. The approach assumes that the user ^^^^^ ^ trusted system 

will plug the tmsted print box into a standard printer. The ^^^^^^^^ ftinctional terms, the operation of the 

pnnter is assumed to not have the capability of stonng extra ^^^^ implementation is simUar to that of the tnist box 

copies of the digital work. implementation. The difference is that the server performs 

Building box in Printer. Variations of this approach ^j^ny of the operations of the trust box. 

include incorporating the trusted print box into the printer i^^,^ ^re many variations on how the print server may 

Itself. That variation has the advantage that it does not 45 ue^d to interoperate with the other system elements. For 

present the document in the clear along any external con- example, the transaction with the printer may be with the 

nectors. user*s computer or with an on-line repository that the user is 

Weak Link. A weak link in this approach is that there is communicating with. In the following, the transaction is 

an external connector that transmits the document in the described as happening from a repository, although that 

clear. Although this is beyond the average consumer, it 50 repository may be the users own computer, 

would be possible to build a device that sits between the piG. 16 is a block diagram illustrating a print server 

trusted printer box and the printer that would intercept the implementation. Referring to FIG. 16, a consumer worksta- 

work in the clear. lion 1601 is coupled to publisher repository 1602. The 

Billing Variations. In the version presented here, the publisher repository 1602 couples directly with a spooler in 

trusted print box has secure storage and programs for 55 printer repository 1603. The spooler is responsible for 

managing billing records. A simpler version of the approach scheduling and printing of digital works. The spooler 1603 

would be to keep track of all billing on-line. For example, is coupled to the printer 1604. 

one way to do this would be to have the document printing The server implementation would work with other system 

start at the time that the customer orders it. In this variation, elements as illustrated in the steps of the flowchart of FIG. 

the document is still sent in encrypted fonm from the 60 17. Referring to FIG. 17, the repository contacts the trusted 

publisher, through the consumer's workstation, decrypted, printer's server, engaging in a challenge-response protocol 

and sent to the tmsted print box, to the printer. The difference to verify that the printer is of the right type and security level 

is that the trusted print box no longer needs to keep billing to print the work, step 1701. These interactions also give the 

records and that the consumer must start printing the docu- printer public certificates for the repository and user, that are 

ment at the time that the document is ordered. 65 used for retrieving watermark information. 

Software-only Variation. Another variation on the desktop ITie distributor encrypts the document using DES or some 

printing solution involves only software. The consumer/ other code, using a key length that is compatible with 
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requirements of security and legal constraints, step 1702. It 
encrypts the document key in an envelope signed by the 
public key of server, step 1703. It sends the encrypted 
document to the server, step 1704. 

Note that in some versions of this architecture, different ^ 
levels of encryption and "scrambling" (less secure) are used 
on the document at different stages in the server. It is 
generally important to protect the document in all places 
where it might be accessed by outside parties. 'Ilie use of 
lower security encoding is sometimes used to avoid 
potentially-expensive decryption steps at critical stages that 
would slow the operation of the printer. 

In any event, the server stores the encrypted document, 
step 1705. At some point, the spooler gets ready to print the 15 
document. Before starting, it runs a process to create a new 
version of the glyph font that encodes the watermark data. 
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step 1706. It looks up the required watermark information in 
its own certificates as well as certificates from the repository 
and user. 

Finally, the spooler begins imaging the document, one 
page at a time, step 1707. 

Thus, trusted rendering systems for use in a system for 
controlling the distribution and use of digital works are 
disclosed. While the present invention is described with 
respect to a preferred embodiment, it would be apparent to 
one skilled in the art to practice the present invention with 
other configurations of information retrieval systems. Such 
alternate embodiments would not cause departure from the 
spirit and scope of the present invention. 

APPENDIX A. 

GRAMMAR FOR THE USAGE RIGHTS 
LANGUAGE 



work-specification -> 
(Work: 

(Rights- La nguagc- Versio n: version-id) 
(Work-I D: work-id)^, 
(Description: text- description) ^p, 
(Owner: ccrtificatc-spcc)^^, 
(Parts: parts -list)op, 

(Contents: (From: address) ^o: address))op, 

(Copies; copy-count)op, 

(Comment: comment-str)op, 

rights-group- list ) 
parts-list -> work-id ] work- id parts- list 
copy-count -> integer-constant | unlimited 
rights-group- list -> 

rights-group- spec rights-group- list^p, 
rights-group-spec -> 

( rights- group-header rights-group-namc 

bundle-spcCop, 

com men t(^ 

righLs-list) 
rights- group- header -> 

Rights-Group: | 

Reference- Rights-Group: 
bundle -spec -> 

(Bundle: commentop, time-speCop, access-speCop, 
fee-speCop, walcrmark-speCop,) 
comment -> (Comment: comment-str) 
rights-list -> right rights-list(,p, 

right -> (right- code commentop, time-speCop, access-speCopt fee-spec^pt ) 
right-code -> 

transport-code | 

render-code | 

derivative-work-code | 

file- management-code | 

con figuration -code 
transport-code -> transport-op-spec next-cop y-dghts-spcC(,p,: 
transport-op- spec -> 

Copy: I 

Transfer: | 

Loan: rcmaining-rights-speCop, 
next-copy- rights-spec -> (Next- Copy- Rights: next-sct-of- rights ) 
remaining- rights-spec -> (Remaining-Rights: rights-groups- list) 
next-set-of- rights -> rights -to-add-spec^ | rights- to-deletc-specop, 
rights- to -add- spec -> (Add: rights-groups- list ) 
rights-to-delete-spec -> (Delete: rights-groups-list ) 
render-code -> 

Play: player-spec^ | 

Print: Printer-speC(,p, | 

Export: repository- speCop, 
player- spec -> (Player: certificate-list)^^ (Watermark: watermark-spec)op, 
printer- spec -> (Printer: certificate- list (Watermark: watennark-spec)op, 
repository- spec -> (Repository: ccrtificate-list)op, 
dcrivative-work-codc -> 

derivative-op-spec editor- speC(,p, ncxt-copy-rights-speCop, 
derivative-op-spec -> 

Edit: I 

Extract: | 
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-continued 



Embed: 

editor-spec -> (Editor: certificate- list) 
fiJc- management-code -> 

Backup: backup-cop y-rights-speCop, | 

Restore: | 

Vferify: verifier-spec ^p, | 
Folder: | 
Directory: | 
Delete: 

backup-copy-rights-spec -> Backup-Copy-Rights: rights-groups- list 
verifier-spec -> (Verifier: certificate-lLst) 
configuration-code -> 

Install: | 

Uoinstall: 
time-spec -> 

QTime: inter\'al-type expiration-speCpp,) 
interval-type -> 

fixed -interval-spec | 

sliding-inteival-spec | 

metered- interval-spec 
fixed- interval- spec -> (From: moment-spec) 
sliding-interval-spec -> (Interval: interval -spec) 
mete red-interval -spec -> (Metered: interval -spec) 
expiration-spec -> (Until; moment-spec) 
moment-spec -> date-constant time-of-day-constantop( 
interval-spec -> 

calendar-units-constant | 

time-units -constant | 

calendar-units-constant time-units- constant 
fee-spec -> (Fee: ticket-spec | monetary -spec 
ticket-spec -> (Ticket: (Authority: authority- id) CType: ticket-id )) 
monetary-spec -> 

(fee-type min-price-specop, max-price-speCop, account-spec ) 
fee-type -> 

(Per-Use: money-units )| 

(Metered: (Rate: money-units) 

(Per: interval-spec ) (By: interval-spec)op, | 

(Best-Price-Under: money-units )| 

(Call-For-Price: dealer- id )1 

(Markup: percentage ) 
money- units -> floating-constant (Currency: ISO-Currency- Code )^ 
account-spec -> (To: account-id ) (House: clearing-house- id) ^p, | 

(From: account- id) (House: cleadng- ho use-id) op, 
min-p rice- spec -> (Min; (Rate: money-units ) (Per: interval -spec)) 
max-price-spcc -> (Max: (Rate: money-units ) (Per: interval-spec)) 
access-spec -> 

(Access: security-class-speCpp, 

user -specop, 

source-speCop, 

dcstination-speCj^, ) 
-class-spec -> (Security: s-list) 
s-list -> s-pair | s-pair s-list 
s-pair -> (s-name: s-value) 
s-name -> literal-constant 
s-value -> floating-constant 
user- spec -> (User: authorization -spec) 
source-spec -> (Source: authorization-spec) 
destination-spec -> 

(Destination: authorization-spec) 
authorization-spec -> 

(Any: certificate- list ) | 

certificate- list 
certificate- list -> certificate-spec certifies te-list^pt 

ccrtificatc-spcc -> (Certificate: (Authority: authority- id) property- lis t^p,) 

property-list -> property-pair | property-pair property-list 

property-pair -> (property- name; property- value) 

property-name -> literal-constant 

property-value -> string-constant | literal-constant 

I floating-constant | integer-constant 
watermark-spec -> watermark-info- list 

watermark-info- list -> watennark-str-spec^jp, watermark-info-list^^, | 
watermark- token -speCop, water mark-info- list^p, | 
water ma rk-object-speCop, watennark-info-listop, 
watermark-str-spec -> (Watermark-Str: watcimark-str) 
watermark-token-spec -> (Watermark-lbkens: watermark- tokens) 
watermark-tokens -> watermark- token watermark-tokenSop, 
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-continued 

watcrmark-tokcn -> a 1 1- rights | render-rights | 

user-name | user-id | usei-location | 

institution- name | institution- id [ institution- location | 

render-name | render-id | render-location | render-time 
watcrmark-object-spec -> (Watermark-Object: work- id) 



What is claimed is: 

1. A system for controlling the distribution and use of 
digital works comprising: 

means for creating usage rights, each instance of a usage 
right representing a specific instance of how a digital 
work may be used or distributed; 

means for attaching a created set of usage rights to a 
digital work including a rendering right, said rendering 
right for permitting said digital work to be rendered, 
said rendering right further specifying watermark infor- 
mation to be embedded into a rendering of said digital 
work, said watermark information including informa- 
tion related to the rendering of said digital work and 
sand rendering right further specifying rendering cri- 
teria that an instance of a rendering system must satisfy 
before the digital work can be rendered, said rendering 
right originally being an external data with respect to 
the watermark; 

a communication medium for coupling repositories to 
enable exchange of repository transaction messages, 

a general repository for storing a securely exchanging 
digital works with attached usage rights; 

a rendering system comprising a rendering repository for 
receiving a digital work to be rendered from said 
general repository and a rendering device for rendering 
digital works, said rendering repository further com- 
prising: 

means for gathering watermark information specified in a 
rendering right associated with said digital work to be 
rendered; and 

means for encoding said watermark information for 
embedding in said digital work when rendered. 

2. The system as recited in claim 1 wherein said rendering 
criteria is comprised of a predetermined security level and 
predetermined watermarking capabiUties. 

3. The system as recited in claim 1 wherein said rendering 
right is a print right, said rendering system is a printing 
system and said rendering repository is a printer repository. 

4. The system as recited in claim 3 further comprising 
digital work authoring means having means for placing a 
watermark character on a digital document. 

5. The system as recited in claim 4 wherein said means for 
encoding said watermark information for embedding in said 
digital work when rendered is further comprised of means 
for encoding glyph patterns based on said watermark infor- 
mation to create a dynamic watermark font, wherein said 
glyph patterns correspond to watermark characters. 

6. The system as recited in claim 5 wherein said means for 
encoding said watermark information for embedding in said 
digital work when rendered is further comprised of means 
for changing said watermark characters to have said 
dynamic watermark font. 

7. The system as recited in claim 3 wherein said printer 
repository is in the same enclosure as said print device. 

8. The system as recited in claim 3 wherein said printer 
repository is in a different enclosure from said print device. 

9. The system as recited in claim 1 wherein said printer 
repository is further comprised of means for causing a 
printing fee to be paid when said [document] digital work is 
printed. 
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10 10. The system as recited in claim 1 further comprising a 
watermark extraction means for extracting the watermark 
information from said digital work. 

11. The system as recited in claim 10 wherein said 
watermark extraction means is further comprised of: 

^5 a scanner device for creating a bit mapped representation 

of a printed medium; 
means for locating said watermark in said bit mapped 

representation of a printed medium; and 
means for decoding embedded data contained in said 

watermark. 

12. The system as recited in claim 11 wherein said means 
for decoding embedded data contained in said watermark of 
said watermark extraction means is comprised of means for 
decoding glyph patterns. 

13. In a system for controlling the distribution and use of 
digital works, a method for providing a watermark on a 
rendered digital work comprising the steps of: 

a) a digital work creator assigning a rendering right to said 
digital work and storing in a distribution repository, 
said rendering right specifying watermark information 
indicating information identifying a rendering event 
and rendering criteria that an instance of a rendering 
system must satisfy before the digital work can be 
rendered; 

b) a user obtaining an encrypted version of said digital 
work from said distribution repository and storing in a 
user repository; 

c) said user requesting that said digital work be rendered; 

d) said user repository determining if said digital work has 
the appropriate rendering right; 

e) if said digital work has the appropriate rendering right, 
said user repository communicating with a rendering 
repository to establish a trusted session; 

f) said user repository transferring said digital work to 
said rendering repository; 

g) said rendering repository gathering watermark infor- 
mation specified in said rendering right and determin- 
ing that it meets the required rendering criteria; 

h) said rendering repository encoding data for said water- 
mark information; 

i) said rendering repository decrypting said digital work 
and embedding said watermark information, to be 

55 transmitted for subsequent extraction of watermark 
information; and 
j) said rendering repository transmitting said digital work 
with embedded watermark information to a rendering 
device for rendering. 
60 14. The method as recited in claim 13 wherein said 
rendering right is a print right and said rendering repository 
is a printer repository. 

15. The method as recited in claim 14 wherein prior to 
said step of said digital work creator storing said digital 
65 work in a distribution repository, said digital work creator 
placing watermark characters on said digital work, said 
watermark characters in an original watermark font. 
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16. The method as recited in claim 15 wherein said 
rendering event is printing of the digital work and said step 
of said rendering repository gathering watermark informa- 
tion specified in said rendering right is further comprised of 
the step of said rendering repository obtaining identification 5 
certificates for said user repository and said printer reposi- 
tory and extracting identification information. 

17. The method as recited in claim 16 wherein said step 
of said print repository encoding data for said watermark 
information is further comprised of the step of defining lO 
glyph patterns defining said watermark information as char- 
acters in a dynamic watermark font. 

18. The method as recited in claim 17 wherein said step 
of said printer repository embedding said watermark infor- 
mation is further comprised of the step of said printer 15 
repository changing the original watermark font of said 
watermark characters to said dynamic watermark font, 

19. In a system for controlling the distribution and use of 
digital works, a method for providing a watermark on a 
rendered digital work comprising the steps of: 20 

a) a digital work creator assigning a rendering right to said 
digital work and storing in a distribution repository, 
said rendering right specifying criteria for a rendering 
system that must be satisfied before the digital work 
can be rendered and watermark information indicating 25 
information identifying a rendering event; 

b) a user requesting a rendered version of said digital 
work be rendered on a user rendering system having a 
rendering repository; 

c) said distribution repository determining if said user 
rendering system meets the specified criteria in said 
rendering right; 

d) if said rendering system satisfies said specified criteria, 
said distribution repository encrypting said digital work 35 
and sending to said rendering repository; 

e) said rendering repository gathering watermark infor- 
mation specified in said rendering right; 

f) said rendering repository encoding data for said water- 
mark information; 40 

g) said rendering repository decrypting said digital work 
and embedding said watermark information, to be 
transmitted for subsequent extraction of watermark 
information; and 

45 

h) said rendering repository transmitting said digital work 
with embedded watermark information to a rendering 
device for rendering. 

20. The method as recited in claim 19 wherein said criteria 
for said rendering repository is comprised of a security 
criteria and a watermarking criteria. 

21. The method as recited in claim 19 wherein said 
rendering right is further for specifying watermark informa- 
tion indicating information identifying a rendering event. 

22. TTie method as recited in claim 21 wherein said 
rendering right is a print right and said rendering repository 
is a printer repository. 

23. The method as recited in claim 13, wherein said 
rendering criteria is further comprised of a predetermined 
security level for said rendering system. 

24. The system as recited in claim 13, wherein said 
rendering criteria is further comprised of a predetermined 
watermarking capabilities for said rendering system. 

25. A system for controlling the distribution and use of 
digital works comprising: 
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at least one digital work having an associated rendering 
usage right, said associated rendering usage right for 
permitting said digital work to be rendered, said ren- 
dering usage right further specifying watermark infor- 
mation to be embedded into a rendering of said digital 
work, said watermark information including informa- 
tion related to the rendering of said digital work, and 
said rendering usage right further specifying rendering 
criteria that an instance of a rendering system must 
satisfy before the digital work can be rendered, said 
rendering right originally being an external data with 
respect to the watermark; 

a communication medium for coupling repositories to 
enable exchange of repository transaction messages, 

a general repository for storing and securely exchanging 
digital works; 

a rendering system comprising a rendering repository for 
receiving a digital work to be rendered from said 
general repository and a rendering device for rendering 
digital works, said rendering repository further com- 
prising: 

means for determining that said rendering system meets 

said rendering criteria; 
means for gathering watermark information specified 

in a rendering right associated with said digital work 

to be rendered; and 
means for encoding said watermark information for 

embedding in said digital work when rendered. 

26. The system as recited in claim 25, wherein said 
rendering criteria is further comprised of a predetermined 
security level for said rendering system, 

27. The system as recited in claim 25, wherein said 
rendering criteria is further comprised of a predetermined 
watermarking capabihties for said rendering system. 

28. A method for providing watermark information for a 
rendered digital work, said method comprising the steps of: 

a) a digital work creator placing watermark characters on 
said digital work, said watermark characters in an 
original watermark font; 

b) said digital work creator assigning a rendering right to 
said digital work and storing in a distribution 
repository, said rendering right specifying watermark 
information indicating information identifying a ren- 
dering event; 

c) a user requesting a rendered version of said digital work 
be rendered on a user rendering system having a 
rendering repository; 

d) said rendering repository gathering watermark infor- 
mation specified in said rendering right; 

e) said rendering repository encoding data for said water- 
mark information as characters in a dynamic watermark 
font, with the capability to be changed, using an 
embedded data technology; 

f) said rendering repository changing the original water- 
mark font of said watermark characters to said dynamic 
watermark font; and 

g) said rendering repository transmitting said digital work 
with embedded watermark information to a rendering 
device for rendering. 

* * * * * 
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